MPs accuse ICO of failing to do its job on contact-tracing data


A bipartisan group of MPs put together by privacy activists at the Open Rights Group has called on the Information Commissioner’s Office (ICO) to state that it allegedly failed to enforce privacy standards and held the government accountable for its Covid-19 Test and trace program.

The Test and Trace program has been illegal since its inception as the Department of Health and Welfare (DHSC) failed to conduct a Mandatory Data Protection Impact Assessment (DPIA) under ICO rules.

Jim Killlock, Executive Director of the Open Rights Group, said there was “something rotten” at the heart of the ICO that was causing the organization to tolerate illegal behavior by the UK government.

“The ICO is a public body funded by taxpayers and accountable to parliament. You need to sit up, listen, and act now. As a regulator, ICO must ensure that the government is complying with the law. You need to heed the lessons of what happened to Public Health England. The only way to avoid this fate is to enforce the law and properly discharge their legal responsibilities, ”Killock said.

In an open letter to the ICO, MPs called on Information Commissioner Elizabeth Denham to “do the right thing” and urge the government to make changes to the Test and Trace program to increase public confidence in the safe and legal processing of their data .

Green MP Caroline Lucas, one of 22 MPs who signed the letter, said: “A privacy risk assessment is not an optional addition. It is a legal requirement and it is important if people are to be reassured that when their data is given to contact tracers, that data will not be misused.

“We will only get through this Covid pandemic if there is trust in the ministers and in the systems they have set up,” said Lucas. “This trust is already being stretched very thinly. If people are to have confidence in the test and trace system, the risk of data leaks must be assessed and measures must be taken to prevent this. ”

Co-signer Daisy Cooper, a Liberal Democrat MP and DCMS spokeswoman for the party, added, “The government has appeared to have been quick and easy with data protection measures to keep people safe. The public needs a data regulator with teeth: the ICO needs to stop sitting on its hands and use its powers to assess what needs to be changed and enforce those changes to ensure that the government keeps people’s data safe and secure used legally. ”

SNP’s John Nicholson said: “A weak regulator that fails to hold the government accountable is endangering the health and safety of people in Scotland and across the UK. Failure to address privacy concerns puts public health at risk. The government and the ICO must both take this very seriously. “

Toni Vitale, head of data protection at law firm JMW, said the failure to conduct a DPIA left the NHS and the government in violation of both the General Data Protection Regulation (GDPR) and the 2018 Data Protection Act, leaving the NHS at risk of enforcement action and high Fine.

“The government said there is no evidence that data is being used illegally or at risk to individuals, but there is no way they can know without doing a DPIA. Maybe this is another example of one law for the government and another for the rest of us, ”he said.

“It’s not a good example, especially as many companies are now processing data about their employees – and in some cases about customers – including new data on Covid-19 test results. Some of these organizations need to do a DPIA and the government / NHS should do it, ”added Vitale.

In response to the letter, an ICO spokesperson said: “Our regulatory obligations include advising and monitoring the work of controllers. Our approach during the pandemic has been to provide advice on the privacy impact of a number of initiatives by the UK government, the NHS, local councils and private sector organizations to respond to the public health crisis.

“We understand and recognize that the government and other organizations needed to act quickly to address the national health emergency, and we have outlined their privacy obligations and provided them with timely guidance and expertise. We have published much of this work in order to ensure transparency and will review and investigate, if necessary, arrangements to ensure that people’s rights to information are respected.

“We will continue to uphold people’s information rights and act where our advice is not followed and where we find serious, systemic or negligent behavior that endangers the protection of people.”

Canadian citizen Elizabeth Denham has also been criticized and called for her resignation after being found working from her home in British Columbia on Canada’s west coast, eight hours from the UK.

The revelation met with anger from privacy campaigners, many of whom accused her of resigning at a crucial time, despite the ICO saying Denham adhered to UK office hours and worked closely with her team. She is scheduled to return to the UK in September.